The National Resistance Movement App and Digital Politics in Uganda
Part 1: Elections — There’s An App for That
Part 2: Why Investigate Election Apps?
Part 3: Campaign Apps Ghana 2020
Part 4: The National Resistance Movement App and Digital Politics in Uganda
Information and Communications Technology in Uganda
Days before Uganda’s January 2021 election, President Yoweri Kaguta Museveni posted an animated video of himself joining the #Jerusalemachallenge in response to reported requests from young voters. The challenge was a viral social media trend in which people from Buenos Aires to Odessa posted videos of themselves dancing to the South African hit song. The President’s video garnered nearly 20,000 reactions on Facebook with another 3,400 likes on Twitter.
Critics assert that the politician’s playful video belies the grave reality of Uganda’s political situation. Uganda’s 2021 election campaign was the most violent election in the country’s history. Two months prior to Museveni posting this clip, dozens of individuals were killed and over 500 arrested when police arrested Bobi Wine, a musician-turned-politician and Museveni’s most prominent presidential opponent, prompting a clash between Wine’s supporters and the police. Police claimed Wine’s campaign had violated COVID-19 measures; Wine’s team insists the government was simply suppressing their campaign. Two months prior, the Ugandan military classified red berets — the signature token of Wine’s People Power
movement — as military attire, banning it from the streets, from political gatherings, and from public life altogether.
Over the years, Museveni’s National Resistance Movement party has used the new tools afforded by the internet to maintain its political power.
Since its independence from British colonial rule in 1962, Uganda has never had a peaceful transfer of power. In the 1970s and 1980s, Museveni led uprisings against dictators before assuming office in 1986. Since that time, Uganda has amended its Constitution twice to allow Museveni to remain in power as he aged. Today, thirty-five years later, he’s one of the world’s longest-running heads of state. With two-thirds of Ugandan voters under the age of thirty and nearly 80% under thirty-five, an entire generation of young Ugandans has lived with Museveni in power, and winning their support — even through frivolous videos — is crucial for anyone seeking office.
The East African country of 44 million has witnessed changes during Museveni’s presidency, but major problems persist. In the years following his rise, Museveni tackled the AIDS crisis across the country and led Uganda through a phase of economic recovery. Growth has slowed in recent years as government officials persecute its critics and operate with impunity, establishing “the most influential authoritarian model in the region.” In the run up to the 2021 presidential election, law enforcement attacked journalists covering the race so brutally that several were hospitalized, including one who allegedly sustained a fractured skull. American and European civic groups planning election monitoring efforts across the country abandoned their plans in response to intensified hostility from the state. Twenty-six election observers from the civil society organization The Africa Elections Watch overseeing the contest were arrested.
Over the years, Museveni’s National Resistance Movement party has used the new tools afforded by the internet to maintain its political power. After the arrival of the Pakistan-based Warid Telekom in Uganda in 2008, mobile phone communications grew dramatically. In December 2009, 9.38 million Ugandans accessed the internet via mobile devices. Just twenty-four months later the number nearly doubled. From 2010 to 2014, mobile broadband subscriptions grew 70% year-on-year. With an increasingly connected electorate at home, Museveni gained the means by which to monitor and reach voters. Activists and critics assert that Museveni’s government has exploited the expansion of the telecommunications industry to surveil mobile networks — and intercept voters’ communications and track their movements — under the justification of national security as authorized by a collection of laws: the Anti-Terrorism Act (2002), the Regulation of Interception of Communication Act (2010), the Computer Misuse Act (2011), the Electronic Signatures Act (2011), the Electronic Transactions Act (2011), the Anti-Pornography Act (2014), the Communications Act (2013 but later amended in 2017), and the Data Protection and Privacy Act (2019). These legislative interventions are considered a regression of Ugandans’ digital rights.
With an increasingly connected electorate at home, Museveni gained the means by which to monitor and reach voters.
Before the February 2011 presidential election, Ugandan voters received pre-recorded robo-calls from the Museveni campaign reminding them to vote for him. Days before the election, the Uganda Communications Commission (UCC) furnished SMS providers with a list of keywords and phrases believed to instigate unrest. Texts containing these terms were to be blocked, which the UCC justified under election integrity. Two months after the election, opposition presidential candidates who lost to Museveni spearheaded the ‘Walk to Work’ protest to call attention to the escalating cost of living resulting from inflation and fuel costs that had risen 50% in four months. At the height of the protest, the UCC shut down access to social media across the country for 24 hours, undermining the demonstration’s mobilization efforts.
After the 2011 elections and before the 2016 elections, Ugandan authorities — acting on orders issued by Museveni himself — started using intrusion malware to surveil people suspected of supporting Museveni’s opposition, including civil society actors and journalists. The central malware of the operation enabled government agents to access passwords, files, microphones and cameras of targets without their knowledge, and in some cases, people with connections to the government’s targets were bribed to infect targets’ devices. Some hotels in Uganda cooperated in the scheme, allowing agents to install fake WiFi access points at places where formal business negotiations and official meetings between heads of state were held. As the NGO Privacy International notes in its report published four months before the 2016 elections, “The Ugandan Government is also currently in advanced stages of procuring a communications monitoring centre, five years after its Parliament passed the Regulation of Interception of Communications Act.” Civic engagement in the 2016 elections was higher than normal because the 2016 presidential race was the first to include a televised presidential debate. As the 2016 elections neared, Museveni sent unsolicited mass texts to subscribers of Airtel Uganda, a telecoms company, via a third-party service. Recipients wishing to unsubscribe had to pay UGX 220 (0.05 EUR) to do so. On the day of the election, Museveni instituted a ban on social media on mobile devices, calling the change a “security measure to avert lies … [lies] intended to incite violence and illegal declaration of election results.” Critics maintain that the clampdown prevented voters from documenting and sharing instances of voting irregularities. Museveni won the election with a reported 60% of the vote.
Years later, the pattern of meddling with digital technology or political gain has continued. In 2018, the Ugandan government — partly, it seems, out of recognition of the democratizing force of social media — instituted a social media tax. The tax imposed a UGX 220 (0.05 EUR) cost per day on a bundle of 60 apps, including Facebook, Twitter, WhatsApp, Instagram, Skype, and Yahoo Messenger. The tax cost about 20% of what Ugandans pay for their phone plans, leading many price-sensitive Ugandans to cease their internet usage altogether. At the time Museveni wrote on his blog, “Social media use is definitely a luxury item…Internet use can sometimes be used for education purposes and research. This should not be taxed. However, using internet to access social media for chatting, recreation, malice, subversion, inciting murder, is definitely a luxury.”
Three days before the most recent election on January 14, 2021, the Atlantic Council’s Digital Forensic Research Lab revealed networks of fake, pro-government accounts on Facebook and Twitter apparently linked to Uganda’s Ministry of Information and Communications Technology. Both companies removed these accounts, prompting pro-government actors online to campaign with the hashtag #StopTechcolonisation. Museveni claimed that Facebook was taking sides, and that it would not be permitted to operate in Uganda. This time, the internet shutdown lasted 100 hours, costing Ugandans — who rely heavily on mobile apps to transact with one another — an estimated 9 billion USD. The shutdown also hurt opposition groups, who increasingly resorted to social media as government crackdowns on traditional media and journalists undermined press freedom. Museveni was ultimately declared the election’s winner.
National Resistance Movement App
One month before the 2021 election, Museveni released a YouTube video entitled “ICT sector #Uganda.” In it, Museveni’s voiceover proclaims over stirring background music, “The new technology should help all people produce products and services according to the principles of comparative advantage.” On-screen text boasts the extent of e-government services before closing with a bold vision about the promise of the Nation Resistance Movement’s (NRM) e-services.
Given the recent elections in Uganda, Museveni’s past handling of digital technologies, and the promises of his NRM campaign video, Tactical Tech’s Data & Politics teamed up with The App Analyst to explore how Museveni’s National Resistance Movement (NRM) approached the personal data of Ugandans in practice. Campaign and party apps around the world are growing in popularity but are still unregulated and unchecked. Understanding how political groups’ apps work in practice allows us to spot differences between politicians’ grand visions and the realities of what their technologies do, as researchers and activists have done in India, the US, UK, and beyond. What might an analysis of the NRM’s official app reveal?
NRM’s Android app has over 1,000 installs and, as of the time of writing, was last updated in February 2021, more than one month after the elections took place. On Android, the app requests permission to access users’ precise GPS coordinates, photos, media files, camera (to take photos or videos), and microphone (to record audio). The app has overwhelmingly positive reviews, with the vast majority of reviewers rating it five stars.
The iOS app, on the other hand, was of particular interest to us because — although Android usage in Uganda eclipses iOS usage — the app’s developer, Jaguza Tech Uganda Limited, provided no privacy policy for the app. (The privacy policy is a document explaining how a company uses its users’ data. Without it, users have no way of knowing, for instance, if their data is being shared with a third-party or if it’s already being used by a third-party by virtue of using the service.) The Apple App Store states that the developers must submit a privacy policy when they next update the app, which was most recently updated in November 2020. Of the eight apps Jaguza Tech has released on the iOS App Store, only three have any privacy disclosures. These eight apps include a plant health monitoring app that uses deep neural networks to classify images of leaves to detect disease and georeferences images to warn farmers of outbreaks, an animal tracking app for farmers, a gospel church app enabling users to livestream sermons, a tractor booking app, a tourism app, a tick management app, and Uganda’s Electoral Commission app.
We also grew interested in the app because its functionality was quite limited. As the app’s creators mention on the App Store, “The NRM APP provides latest news updates from NRM, Events, Achivements [sic] and public communication.” In other words, the party uses the app to send supporters updates. Our team has written about how campaign apps from the Dominican Republic, India, the United States, and beyond have jeopardized voters’ data. Many of these apps contained functionality more complex than that of the NRM app. Could the NRM app’s simplicity foster a secure user experience, or is the absence of a privacy policy a sign of bigger problems?
By downloading the app like any other user, we could interact with other users as mentioned in the App Store. We monitored traffic passing to and from the app using Charles Proxy, and many of the usual third-party suspects appeared: Facebook (to connect to Facebook’s social graph), Google (for in-app messaging), and Imgur, an online photo-sharing community from which several of the app’s images were sourced. The folder containing app files gave us access to a plethora of images: 55 campaign posters of NRM candidates running for parliament, a few dozen for news pieces, and a few videos. There was nothing untoward about these findings.
However, we also found another set of images in a directory called “UserImages.” The folder contained two distinct photos of the man we believe to be the app developer, perhaps uploaded to the app as a test. One of the images shows what appears to be the individual’s badge of membership for NRM SOMA, shorthand for the National Resistance Movement’s social media activists. The badge includes what seems to be an image of his face, his full name, ID number, date of issuance and expiry (five years apart, the length of time between national elections), and a physical return address located in central Uganda in case of loss.
Sources: iOS App Store, Transparency International
By viewing these two images via Charles Proxy, we found that they had been uploaded to a URL belonging to Bluehost, an American web hosting service company. From this URL, we were able to freely access a site with a list of all the images users uploaded to the iOS app themselves. There were over 230 image files — predominantly selfies of young to middle-aged men, occasionally with their children and one with his German shepherd. The uploaded images were taken starting in July 2020, and new images were uploaded as recently as a few days prior to the time of writing. For some photos, the device manufacturer and model of the phone was accessible. Notably, the images were different sizes, indicating lax security practices that failed to standardize or sanitize the uploaded images.
Because the images had not been sanitized, several still contained their metadata. In fact, for a handful of images, we were able to access the geolocation information stored in their metadata. This information contained the GPS coordinates pinpointing the precise spot at which the photograph in question was taken. All of the geolocated photos mapped to spots in Uganda except for one taken in Sharjah, United Arab Emirates, on February 26, about six weeks after the election.
The NRM app failed to secure its supporters’ photos, which unscrupulous actors or foreign powers could have used however they chose. This point serves as a reminder that data subjects — to use the language of the European Union’s General Data Protection Regulation — effectively relinquish control of their personal data not only when it lands in the hands of adversarial data controllers, but even when sharing data with causes they support. When shown our findings, one Ugandan stakeholder who requested anonymity remarked, “I am not surprised by the results because the NRM is widely known as a digital authoritarian government that would rather compromise the security of its supporters at the expense of retaining the presidency.”
“I am not surprised by the results because the NRM is widely known as a digital authoritarian government that would rather compromise the security of its supporters at the expense of retaining the presidency.”
In attempt to fix the issues we identified, we emailed the app’s developers repeatedly over the course of months, but we received no response. In the aftermath of a recent global Facebook incident in which the names, emails, and other identifiers of 533 million users was compromised, one expert asserted that the same barriers that prevent users elsewhere valuing their personal data also exist in Uganda. Unless people understand the financial value of their data, they suggested, users will continue to undervalue their personal data. And helping people appreciate how much their personal data is worth requires continued investments in digital literacy.
Personal Data & Politics Beyond 2021 in Uganda
This glimpse at the NRM app’s handling of personal data sets a poor precedent for the “e-education, e-security, e-government, e-health, e-extension” and other internet-based solutions Museveni’s government evidently intends to deploy, especially given the possibility that each of these services may not benefit from the same abundance of resources that the National Resistance Movement invested into its own app. If the Ugandan government proceeds to implement apps for “e-education, e-security, and e-governance,” as Museveni’s campaign video suggests, what could happen to data belonging to Ugandan citizens’ that these apps collect? Perhaps a better question might be what might happen if a rival political movement in Uganda, unable to amass power through traditional means as a result of government crackdowns, resorts to technological solutions to organize but fails to secure its users’ data properly. Given the NRM’s treatment of election monitors and journalists, how might the Ugandan government at Museveni’s behest use political opponents’ selfies or geolocation data? The mere prospect paints a chilling picture. As one specialist observed, “The NRM regime has explored every opportunity at its disposal to conduct surveillance including training security personnel abroad.”
Recent technological investments are creating new possibilities to wield technology for influence, particularly with a leader like Museveni in power. For example, Eskimi, an advertising platform that arrived in Uganda in 2017, boasts a suite of “Data-Driven Ads” products, enabling marketers “to utilize an increasingly broad set of near-real-time information to place relevant ads in front of relevant people.” Polling companies, like Research World International, IPSOS, AfroBarometer, and GeoPoll have sprung up over the past fifteen years and evolved into a cottage industry to seize the market opportunity. One commentator requesting anonymity noted that app and website developers, including those who built the NRM app, are eager to “target quick and easy NRM cash” and money from other election-related organizations. Even without any unscrupulous actions on the part of the pollsters, opportunistic political leaders can exploit the insights afforded by mass polling and by personalized data collection efforts powering the ad tech ecosystem with highly personalized ads and more invasive digital listening campaigns than those launched in 2016. Others could even wage disinformation-for-profit campaigns, marrying the highly personalized capabilities of advertising with propaganda observed elsewhere on the continent.
Some of these changes are already underway. In recent years, Uganda’s capital Kampala rolled out Huawei’s smart city solutions and installed facial recognition cameras throughout the capital (and across swaths of the African continent). When asked what the international community should know about the digital-political state of affairs in Uganda, a local activist noted, “Technology is a new weapon being used to suppress political opposition, exert power and control by dictatorial regimes like Uganda. No government in the history of Uganda has ever invested so much public resources in surveillance like the NRM, overlooking vital sectors like agriculture, employment, education and health.” With several Ugandan government offices — including the Directorate of Immigration and the Ugandan Revenue Authority — inclined to integrate national IDs and facial recognition, the risk of digital technologies abetting authoritarian, undemocratic ends, even through seemingly innocuous political apps, will grow. And as the government amasses more data and digital assets on its supporters and its critics, the National Resistance Movement will be even better positioned to continue pursuing and justifying a continued practice of digitalpolitik.
— — —
Part 1: Elections — There’s An App for That
Part 2: Why Investigate Election Apps?
Part 3: Campaign Apps Ghana 2020
Part 4: The National Resistance Movement App and Digital Politics in Uganda
Varoon Bashyakarla is a data scientist at Tactical Tech. His work explores the datafication of politics.
Gary Wright is a researcher at Tactical Tech, examining the uses of digital technologies in politics and their impacts on society.
The App Analyst is a digital security researcher with a specialty in auditing mobile apps for privacy and security vulnerabilities. Follow The App Analyst’s work here and here.
